Fix Uncontrolled data used in path expression

cavenel · Dec 4, 2023 · cbe2003 · cbe2003
1 parent c8de7c1
commit cbe2003
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/tissuumaps/views.py b/tissuumaps/views.py
@@ -792,6 +792,9 @@ def send_file_partial(path):
 
     size = os.path.getsize(path)
     byte1, byte2 = 0, None
+    if len(range_header) > 1000:
+        abort(416)
+        return
     m = re.search(r"(\d+)-(\d*)", range_header)
     g = m.groups()